Windows NT Configuration Guidelines
A minimum installation for NT servers includes NT 4.0, the latest Service Packs, recommended patches and relevant security Hotfixes released by Microsoft.
It is not recommended to install more than one copy of Windows NT on the same computer, however if you must, we recommend that the second copy of Windows NT has no users except for the local Administrator and that a strong password be set on this account. There are cases where ACLs created by one of the copies are not protected when another copy is active.
When installing Windows NT do not copy the entire root directory and a few other files from one computer to another as each NT installation receives a unique system ID which makes its accounts and group ID's also unique. Making such copies may compromise the entire network's security.
Check for ROLLBACK.EXE on the hard disc and if present remove it.
ROLLBACK can destroy critical system information including the registry,
user account information. To recover from the ROLLBACK.EXE damage the
entire system has to be restored from the backup tape, if one is available.
Note that Microsoft inadvertently distributed ROLLBACK.EXE with some
Windows NT 4.0 releases.
There are two types of patches from Microsoft; Service Packs and
Hotfixes. Installing these patches in order is important. Service
Packs must be installed before the Hotfixes. These fixes can be found
at:
Extensive information about installing the Service Pack can be found
in the readme.htm file.
Before you install these fixes on critical systems or install
them on a large number of devices, test hotfixes to ensure that there
is not a conflict with other third party drivers.
Details about the order to install hotfixes can be found in the
postspX.txt file, where `X' is the number of the service pack you have
installed. As an example, for Service Pack 5 the file is postsp5.txt.
Since new patches are released frequently, it can be difficult for
system administrators to keep up with them. Microsoft has a security
notification service that anyone can subscribe to. This service keeps
customers informed about current security issues, how to protect
systems from these issues, and what Microsoft is doing to fix the
problems. For further information on the Microsoft Security
Notification Service, see:
Computer viruses spread easily through floppy disks, email, or
programs downloaded from the Internet. Potential problems range from
changing data to reformatting your hard drive. Once created, viruses
can spread without help from their creators. You can get them from
computers at the office, from using computers at school, or from a
document emailed to you by a friend.
To protect your systems, we recommend that you install a virus
scanning/detecting/cleaning program. Our Computer Virus Resources
document links to information about computer viruses, hoaxes, and
chain letters.
http://www.cert.org/other_sources/viruses.html
Once you start using a virus detection/prevention program, it is
very important to keep it up-to-date. New viruses are created
continuously, and vendors of virus detection software offer updates to
detect them. To get the latest updates, check the manuals or the
vendor web page. Some virus detection software allows you to get the
updates automatically via the Internet. Make sure you setup the
software to schedule these updates at least once a week.
We recommend that computers, at the very least, do a quick scan
when the system is booted, as programs are loaded into memory, and
when new data is detected (from email, removable media).
Computers should get a full system scan periodically which can be
scheduled to run when the users are away for the evening.
Prior to making software available to many machines on a network
install it on a stand-alone device and scan it for computer viruses.
There have been reports that installation media contained a virus, but
was not detected by the software company that distributed the media.
Computers that act as servers keep in mind that many files from a
wide variety of users pass through it such as email and file/directory
sharing. Because of this consider performing frequent scans of areas
that users have read and write access to, perform full virus scans
before backups, and implement mail and gateway scanning.
A good method to prevent large outbreaks of computer viruses in an
organization is user education. This may include having policies and
procedures for downloading software, the transfer of software between
internal machines, how to deal with email attachments (executables, and
documents that may have macros), how and when to run anti-virus
software, and what to do when a virus is detected.
Disable unneeded network protocols and services.
Disable inbound and outbound traffic to your external connections
for TCP and UDP ports 135, 137, 139 and UDP port 138. Blocking these
ports prevents potential intruders from gathering useful information
such as computer names, usernames, and services running on those
computers. This list, from Microsoft Knowledgebase Article Q150543,
describes services available on these ports.
For additional protection, block ports on individual NT systems
using the advanced options in the protocol properties. Start ->
Setting -> Control Panel -> Network -> Protocols -> TCP/IP -> Advanced
-> Enable Security -> Configure. This could be useful if you have an
NT server that is only used as a public web server. You can then
block out all TCP ports except 80 (HTTP) and IP ports 6 (TCP) and 17
(UDP).
If you need to run the Internet Information Server (IIS), make sure
that you block known vulnerabilities and we recommend IIS runs on a
stand-alone machine.
The Windows NT Remote Access Service (RAS) allows remote computers
to connect to Windows NT RAS servers across a telephone connection or
using PPTP protocol over an intranet. If your site requires this
service make sure you:
To increase the level of security for user accounts, implement
password policies. Password policies are set in the User Manager and
enable you to change the following:
In Service Pack 2 and higher, better password protection is offered
through passfilt.dll. To enable the enhanced password
policies, refer to the following Microsoft article:
passfilt.dll imposes the following additional restrictions
on passwords:
Use SYSKEY. Syskey enables the private password data stored
in the registry to be encrypted using a 128-bit cryptographic key.
This is a unique key for each system. For further information on
configuring and using syskey, see the following Microsoft
Knowledgebase article.
By default, the administrator account is never locked out, so it is
generally a target for brute force logon attempts of intruders. It is
possible to rename the account in User Manager, but you may wish to lockout
the administrator account after a set number of failed attempts over the
network. The NT resource kit provides an application called
passprop.exe which enables Administrator account lock out except
for interactive logons on a domain controller.
Another alternative to avoid all accounts belonging to the Administrator
group being locked over the network is to create a local account which
belongs to the Administrator group, but is not allowed to logon over the
network. This account may then be used at the console to unlock the other
accounts.
Make sure the Guest account is disabled. If this account is
enabled, anonymous connections can be made to NT computers.
Secure the Emergency Repair Disk as it contains a copy of the entire
Security Access Manager (SAM) database. If a malicious user has access
to the disk he/she may be able to launch a crack attack against it.
Always use NTFS. With NTFS it is possible to define access control
to files and directories.
There are File/Directory ACLs (Access Control Lists) and Share
ACLs. When files are accessed remotely, the most restrictive of the
two types of ACLs is used. For example, if the ACL on a file is set
to be READ, but the share permissions are set for FULL CONTROL the
resulting permission will be READ access. To ensure that both local
and remote connections have the correct ACLs we recommend using NTFS
ACLs.
Ensure that Windows NT is the only operating system installed on
machines intended to be servers. The presence of a secondary operating
system may allow NT's security features to be bypassed.
Do not install more than one copy of Windows NT on a computer unless
absolutely essential. There are cases where ACLs created by one copy of
the OS do not provide protection when a different copy of the OS is active.
If you want to prevent sharing on an NT device, do not start the
Server service and Computer Browser service automatically. You can
still browse to other devices if these services are not started, but
they prevent your device from offering file and print sharing services
to others.
If you are sharing directories or printers, make sure that the
permissions are what you expect. By default, when a share is enabled,
it gives Everyone Full Control on the share.
Even if you have proper NTFS file permissions and enable sharing on
directories, replace the share permission for the Everyone group with
the USERS and/or ADMINISTRATORS groups instead.
Be careful of the FULL CONTROL permission for non administrator and
system accounts. The files in a directory can be deleted regardless
of what the file permissions are if users have FULL CONTROL on the
directory. This happens because there is a hidden 'delete child'
permission that is part of the FULL CONTROL permission that allows a
user to delete a file even if the user does not have delete permission
on the file. To prevent this, use any other combination of
permissions.
This batch file exemplifies various NTFS permissions that would
better secure the base file system of a standard NT install. It does
not factor in specific applications.
This list gives registry settings that administrators may find
useful for enhancing the security of an NT system.
To prevent the floppy drive from being accessed remotely, use this
setting. The user who is locally logged on can still access the
drive.
To prevent the CD-ROM drive from being accessed remotely, use this
setting. The user who is locally logged on can still access the
drive.
To display a legal notice before a user enters their username and
password to logon to a device, use these settings. It is only
displayed to a user logging on locally. We encourage you to discuss
the content of this banner with your legal counsel.
When a user successfully logs into an NT system, the username is
shown by default the next time someone tries to log into the system.
Knowing the usernames of a successful logon can help intruders perform
dictionary or brute attacks. To prevent the username of the last
logged on user from being displayed to the next user to logon to the
device, use this setting.
To deter unknown people from shutting down NT systems and
deactivate the shutdown button on the initial logon screen, use the
following registry setting. This works because to shutdown a device
the user would need to logon first. If auditing is turned on to track
logon activity, the administrators can determine who rebooted the
system.
By default NT caches the past 10 logons. This is used in case the
domain controller is unavailable. To prevent the caching of logon
information, change the following registry value. It can range from
0-50.
For more information on cached logons, see:
By default, it is possible for users to add print drivers to an NT
system. To prevent users from adding print drivers, make the following
registry change:
Although there is no clear evidence that OS/2 and POSIX are a
security risk you may wish to disable OS/2 and POSIX if they are not
required.
Name: POSIX
To prevent all users from viewing the Application Event Log, use
the following registry setting. Also, be sure to set the proper
access control on the registry key. See section VII.B for further information on controlling access
to the registry.
To prevent all users from viewing the System Event Log, use the
following registry setting. Again, be sure to set the proper access
control on the registry key. See section VII.B
for further information on controlling access to the registry.
The default configuration for the Security Event log does prevent
users from viewing the log.
NT allows non-authenticated users to list domain usernames and
share names. This information could be useful to intruders. To
prevent this type of access, set the following registry key.
For further information on preventing anonymous access to NT
devices, see:
There are two types of authentication used by NT. The first is
LanManager (LM) which is a backwards compatible authentication and is
inherently insecure. The other is the Windows NT authentication. The
NT authentication has a stronger encryption method and can support
mixed/special character passwords. To prevent LM authentication, set
the following registry key.
This configuration may be incompatible with some versions of Samba.
For further information on disabling LanManager authentication in
Windows NT, see:
To enable the use of more restrictive password policies, use the
following registry key. See section III. Passwords
for further information on passfilt.dll. Be careful not to remove any
existing strings when adding passfilt.dll.
To prevent remote users from viewing the NT registry, use the
following key. The access control on this key is then used to
determine who can remotely view the registry.
For further information on restricting access to the NT registry, see:
To prevent users from changing the attributes of shared resources
(e.g. printer settings), set the following registry value
By default, the file used for paging is not cleared. This may
contain clear text passwords or other sensitive information. To
ensure that NT clears the paging file when the machine is shutdown, set
the following value.
For further information, see:
To prevent "man-in-the-middle" attack, enable SMB signing. There
are 2 steps to implementing SMB signing. The following registry entry
is the first step, which enables SMB signing on the workstation side.
Name: EnableSecuritySignature
The following entry is the second step for enabling SMB signing for
the server side.
Name: EnableSecuritySignature For further information, see:
NT creates a number of hidden shares that are not visible through
browsing, but can still be connected to. These are known as administrative
shares. They are generally used for remote backup purposes, but if
this is not necessary, you can disable them with the following registry
setting.
Another method to prevent users from browsing to other NT
workstations is to disable the Server service and Computer Browser
service. This is more practical for end user workstations that should
not be sharing anything. If these services are disabled, it is still
possible to connect to other devices that are sharing.
In conjunction with disabling the Server service, use this setting.
ISS has a utility called everyone2user.exe
that will change all instances of the Everyone group to the Users
group. The Everyone group also has unauthenticated users as part of
its membership.
Any key with TREE next to it means all of the keys
that are below it should also have the ACLs set.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profile List
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services TREE
The audit logs can be configured to take certain actions when the logs
are full. One setting enables you to overwrite old events when the
log is full. This could result in lost information, but is easy to
maintain. Another option is to overwrite the logs after so many days.
The third option is to not overwrite any events. This ensures that
you do not lose any logging data, but could also be a denial of
service issue since once the logs are full the system will not perform
any actions that need to be logged. In the last case the logs need to
be cleared manually.
Keep in mind that not all applications log to the Event Viewer so make
sure you know where all the logs are being stored. One example of
this is Microsoft Internet Information Server which stores logs in the
c:\winnt\system32\logfiles directory.
In a high security environment the following registry setting will
stop (crash) the computer if the audit logs fill up. The following
Knowledgebase article gives further information about this registry
setting.
http://support.microsoft.com/support/kb/articles/q140/0/58.asp
By default not all privileges are audited. The following registry
setting will also enable auditing of backups and restores, debug
programs, traverse checking, and replacing of process level tokens.
During backup and restores this will cause a large number of events in
the audit logs.
In high security development environments auditing of base objects
should be enabled. After setting this registry value, use User Manger
to begin this type of auditing.
Using User Manager, it is possible to define an audit policy of
various user actions. These include logon, logoff, accessing files,
restarting and shutting down the system. All of these can record
successful and failed attempts. We suggest that you audit failed
logon attempts at the very least.
When changing the properties for files and directories, you can
also audit various events such as read, write, execute, delete, change
permission, and taking ownership. When defining the audit policy for
a drive or directory, you can have the policy be the same for all of
the files and directories below it.
The third area to define auditing is in the registry. Much like
defining file and directory audit properties, you can track actions
taken in the registry on the various keys.
II. Patches
The CERT®/CC and AusCERT continuously receive reports about sites
that have been compromised because they have not applied the latest
patches. One of the most important tasks of a systems administrator
is to keep the most current patches for an operating system and for
software installed on a system. Many of these patches fix security
vulnerabilities that are well known to intruders.
III. Computer Virus Prevention
http://www.auscert.org.au/Information/Sources/virus.html
IV. Network Configurations
List of Ports Used by Windows NT version 4.0 services:
Function Static ports
-------- ------------
Browsing UDP:137,138
DHCP Lease UDP:67,68
DHCP Manager TCP:135
Directory Replication UDP:138 TCP:139
DNS Administration TCP:139
DNS Resolution UDP:53
Event Viewer TCP:139
File Sharing TCP:139
Logon Sequence UDP:137,138 TCP139
NetLogon UDP:138
Pass Through Validation UDP:137,138 TCP:139
Performance Monitor TCP:139
PPTP TCP:1723 IP Protocol:47
Printing UDP:137,138 TCP:139
Registry Editor TCP:139
Server Manager TCP:139
Trusts UDP:137,138 TCP:139
User Manager TCP:139
WinNT Diagnostics TCP:139
WinNT Secure Channel UDP:137,138 TCP:139
WINS Replication TCP:42
WINS Manager TCP:135
WINS Registration TCP:137
V. Passwords
VI. File System and Shares
An alternative operating system such as MS-DOS, Windows 95 or Linux
can be used to run programs which read and write NTFS partitions and
circumvent ACL protection.
VII. Registry
Name: AllocateFloppies
Type: REG_SZ
Default Value: 0
Recommended Value: 1
Name: AllocateCDRoms
Type: REG_SZ
Default Value: 0
Recommended Value: 1
Name: LegalNoticeCaption
Type: REG_SZ
Default Value: not set
Recommended Value: COMPANY *** LEGAL NOTICE
Name: LegalNoticeText
Type: REG_SZ
Default Value: not set
Recommended Value: This device is for *** related work only.
Authorized Users Only.
Name: DontDisplayLastUserName
Type: REG_SZ
Default Value: not set
Recommended Value: 1
Name: ShutdownWithoutLogon
Type: REG_SZ
Default Value: 1
Recommended Value: 0
Name: CachedLogonsCount
Type: REG_DWORD
Default Value: not set
Recommended Value: 0
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services]
Name: AddPrinterDrivers
Type: REG_DWORD
Default Value: not set
Recommended Value: 1
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems]
Name: OS2
Type: REG_EXPAND_SZ
Default Value: %SystemRoot%/system32/os2ss.exe
Recommended Value: remove it
Type: REG_EXPAND_SZ
Default Value: %SystemRoot%/system32/psxss.exe
Recommended Value: remove it
Name: RestrictGuestAccess
Type: REG_DWORD
Default Value: not set
Recommended Value: 1
Name:RestrictGuestAccess
Type:REG_DWORD
Default Value: not set
Recommended Value: 1
Name: RestrictAnonymous
Type: REG_DWORD
Default Value: not set
Recommended Value: 1
Name: LMCompatibilityLevel
Type: REG_SZ
Default Value: 0
Recommended Value (Workstation): 3
Recommended Value (Domain Controller): 5
Name: Notification Packages
Type: REG_MULTI_SZ
Default Value: not set
Recommended Value: passfilt.dll
Name: Description
Type: REG_SZ
Default Value: not set
Recommended Value: Registry Server
Name: ProtectionMode
Type: REG_DWORD
Default Value: 0
Recommended Value: 1
Name: ClearPageFileAtShutdown
Type: REG_DWORD
Default Value: 0
Recommended Value: 1
Name: RequireSecuritySignature
Type: REG_DWORD
Default Value: 0
Recommended Value: 1
Type: REG_DWORD
Default Value: 0
Recommended Value: 1
Name: RequireSecuritySignature
Type: REG_DWORD
Default Value: 0
Recommended Value: 1
Type: REG_DWORD
Default Value: 0
Recommended Value: 1
Name (on domain controllers): AutoShareServer
Name (on workstations): AutoShareWks
Type: REG_BINARY
Default Value: not set
Recommended Value: 0
Name: Start
Type: REG_DWORD
Value: 3
Name: Start
Type: REG_DWORD
Value: 3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Windows 3.1 Migration Status TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Embedding TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Type 1 Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MCI TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MCI Extenstions TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDrivers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW TREE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports TREE
VIII. Audit Logs
There are 3 areas where security auditing can be enabled. By default,
all security auditing is disabled. All of the logs are viewed through
the Event Viewer (Start -> Programs -> Administration Tools -> Event
Viewer). The file where the information is stored is located at
%systemroot%/winnt/system32/config/security.
Name: CrashOnAuditFail
Type: REG_DWORD
Value: 1
Name: FullPrivilegeAuditing
Type: REG_DWORD
Value: 1
Name: BaseObjectAuditing
Type: REG_DWORD
Value: 1
References
| Revision History | |
|
April 17, 2000 |
Initial Release |